How Valuable is Your Healthcare Data?

Health care is a hot topic in security right now. A quick search for “hospital ransomware” returns a laundry list of news reports on hospitals as targets of cyberattacks. However, it is not just ransomware that people need to worry about. In the re…

Health care is a hot topic in security right now. A quick search for “hospital ransomware” returns a laundry list of news reports on hospitals as targets of cyberattacks. However, it is not just ransomware that people need to worry about. In the report Health Warning: Cyberattacks Are Targeting the Health Care Industry, our McAfee Labs team digs into the dark underbelly of cybercrime and data loss involving health care records. In this case, the darkrefers to the dark web.

Following up on the Hidden Data Economy report, we looked further to see if medical data was showing up for sale. We found dark web vendors offering up medical data records by the tens of thousands. One database for sale offered information on 397,000 patients!

2016-10-27_17-36-06

These databases contained not only names, addresses, and phone numbers of patients, but also data about their health care insurance providers and payment card information.

What’s it worth?

Of course, for this to be worth a cybercriminal’s time, they must be able to profit from it. We are finding that health care records to be a bit less valuable than records such as payment card records that contain financial information. The going price for a single record of information on a user that includes name, Social Security number, birth date, account information such as payment card number (referred to as fullz in dark web lingo) can range from $14 to $25 per record. Medical records sell for a much lower price, anywhere from a fraction of a cent to around $2.50 per record.

Does this mean medical records are not as valuable? Although not as lucrative as fullz, medical record information has  higher value than just a username/password record when sold on the dark web. We think that sellers are trying to maximize their gain from the data theft. In one underground market forum, a seller listed 40,000 medical records for $500, but specifically removed the financial data and sold that separately.

Why is the health care industry a target?

Although there are regulations and guidelines for the health care industry to protect patient information, the industry itself faces many challenges. Foremost, the focus of the majority of health care workers is the treatment of patients. Because they are dealing with life and death situations, the equipment used to treat patients must be working and available at a moment’s notice. This means there is often little time to install a patch or an update on a piece of medical equipment. The equipment may also be running an outdated operating system that simply cannot be patched to protect against the latest threats. It is not uncommon to see medical equipment running on Windows 95. The medical industry is also subject to FDA regulations and approvals. There may be equipment that is approved by the FDA only on an older operating system and would need to be recertified if updated.

How do I stay safe?

Unfortunately, these data breaches are outside the control of the average person. Health care providers typically use the information they collect from you for your treatment, so you cannot withhold your home address or phone number. As a consumer, you need to be alert for health care data breaches that potentially impact you.

  • Pay attention to the news: Once discovered, medical data breaches tend to make the evening news. Even if you went to a health care provider only once to get an x-ray because you thought you broke your thumb and that provider experiences a data breach, odds are your information was compromised.
  • Monitor your credit score: A common use for resold information is the opening of credit cards or bank accounts. Subscribing to a credit-monitoring service will help you know if a new account has been opened without your knowledge.
  • Watch out for phishing: If your contact information has been stolen, you are almost certain to be the target of numerous phishing attempts. Keep an eye out for suspicious emails and text messages. You can read one of my previous blogs for tips on how to spot a phishing attempt.

The nature of today’s digital world can unfortunately cause our personal and private data to be leaked. If you stay vigilant, you can reduce the impact these breaches will have on your life.

Stay on top of the latest consumer and mobile security threats by following me and @IntelSec_Home on Twitter, and “Like” us on Facebook.

Stay Safe!

The post How Valuable is Your Healthcare Data? appeared first on McAfee Blogs.

How Valuable is Your Healthcare Data?

Health care is a hot topic in security right now. A quick search for “hospital ransomware” returns a laundry list of news reports on hospitals as targets of cyberattacks. However, it is not just ransomware that people need to worry about. In the re…

Health care is a hot topic in security right now. A quick search for “hospital ransomware” returns a laundry list of news reports on hospitals as targets of cyberattacks. However, it is not just ransomware that people need to worry about. In the report Health Warning: Cyberattacks Are Targeting the Health Care Industry, our McAfee Labs team digs into the dark underbelly of cybercrime and data loss involving health care records. In this case, the dark refers to the dark web.

Following up on the Hidden Data Economy report, we looked further to see if medical data was showing up for sale. We found dark web vendors offering up medical data records by the tens of thousands. One database for sale offered information on 397,000 patients!

2016-10-27_17-36-06

These databases contained not only names, addresses, and phone numbers of patients, but also data about their health care insurance providers and payment card information.

What’s it worth?

Of course, for this to be worth a cybercriminal’s time, they must be able to profit from it. We are finding that health care records to be a bit less valuable than records such as payment card records that contain financial information. The going price for a single record of information on a user that includes name, Social Security number, birth date, account information such as payment card number (referred to as fullz in dark web lingo) can range from $14 to $25 per record. Medical records sell for a much lower price, anywhere from a fraction of a cent to around $2.50 per record.

Does this mean medical records are not as valuable? Although not as lucrative as fullz, medical record information has  higher value than just a username/password record when sold on the dark web. We think that sellers are trying to maximize their gain from the data theft. In one underground market forum, a seller listed 40,000 medical records for $500, but specifically removed the financial data and sold that separately.

Why is the health care industry a target?

Although there are regulations and guidelines for the health care industry to protect patient information, the industry itself faces many challenges. Foremost, the focus of the majority of health care workers is the treatment of patients. Because they are dealing with life and death situations, the equipment used to treat patients must be working and available at a moment’s notice. This means there is often little time to install a patch or an update on a piece of medical equipment. The equipment may also be running an outdated operating system that simply cannot be patched to protect against the latest threats. It is not uncommon to see medical equipment running on Windows 95. The medical industry is also subject to FDA regulations and approvals. There may be equipment that is approved by the FDA only on an older operating system and would need to be recertified if updated.

How do I stay safe?

Unfortunately, these data breaches are outside the control of the average person. Health care providers typically use the information they collect from you for your treatment, so you cannot withhold your home address or phone number. As a consumer, you need to be alert for health care data breaches that potentially impact you.

  • Pay attention to the news: Once discovered, medical data breaches tend to make the evening news. Even if you went to a health care provider only once to get an x-ray because you thought you broke your thumb and that provider experiences a data breach, odds are your information was compromised.
  • Monitor your credit score: A common use for resold information is the opening of credit cards or bank accounts. Subscribing to a credit-monitoring service will help you know if a new account has been opened without your knowledge.
  • Watch out for phishing: If your contact information has been stolen, you are almost certain to be the target of numerous phishing attempts. Keep an eye out for suspicious emails and text messages. You can read one of my previous blogs for tips on how to spot a phishing attempt.

The nature of today’s digital world can unfortunately cause our personal and private data to be leaked. If you stay vigilant, you can reduce the impact these breaches will have on your life.

Stay on top of the latest consumer and mobile security threats by following me and @IntelSec_Home on Twitter, and “Like” us on Facebook.

Stay Safe!

The post How Valuable is Your Healthcare Data? appeared first on McAfee.

A “Second Economy” Prognosis for Health Care Cybersecurity

Intel Security CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust,…

Intel Security CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money.

As in other industries, health care is working toward maximizing efficiencies, containing expenses, capturing revenues, and delivering enhanced services through networked devices. Unfortunately, the new opportunities also involve challenges born of a reliance on fragmented cybersecurity strategies built around siloed architectures, and a failure to recognize the value of the extensive data stores the health care sector manages. Losing intellectual property and business confidential information could destroy whole pharmaceutical or biotech companies. Losing personal, sensitive patient data could squander the precious currency of trust in digital medicine, in care providers, and their application of technology.

A McAfee Labs report released today details some of the consequences of health care industry players failing to appreciate the value of data, the attractiveness of that data to cybercriminals, and the ecosystem growing around the theft of such data. The report, “Health Warning: Cyber Threats Targeting and Compromising the Health Industry,” features three areas of focus.

The value of protected health information

In recent years, Intel Security has observed the cybercriminal community extend its data theft efforts beyond financial account data to medical records.

Although credit and debit card numbers can be canceled and replaced quickly, this is not the case for protected health information (PHI) that does not change. This “nonperishable” PHI could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories. McAfee Labs found stolen medical records available for from $0.03 to $2.42 per record.

Cybercriminals analyze the data, and perhaps cross-reference it with data stolen from other sources to identify lucrative fraud, theft, extortion, character assassination, or blackmail opportunities across the population of patients.

Targeting intellectual property

Our research and analysis on the targeting of biotechnology and pharmaceutical firms suggest that the economic value of their intellectual property and business confidential information is considerably higher than the cents- and dollars-per-record data Intel Security’s researchers identified within patients health care accounts.

When you consider that research and development is a tremendous expense for these industries, it should be no surprise that cybercriminals are attracted to this category of data theft.

Intel Security researchers found evidence that formulas for next-generation drugs, drug trial results, and other business confidential information constitutes significant value. The stores of such data at pharmaceutical companies, their partners, and even government regulators involved in bringing new drugs to market have become premium targets of cybercriminals.

Ecosystem of health care data theft

Intel Security also identified cybercriminals leveraging the cybercrime-as-a-service market to execute their attacks on health care organizations. Researchers found evidence of the purchase and rental of exploits and exploit kits to enable the system compromises behind health care data breaches. The researchers even observed efforts by cybercriminals, through online ads and social media, to recruit into their ranks health care industry insiders with access to valuable information.

The Second Economy challenge

The growth and evolution of the market for stolen health care data and the hacking skills required to steal it suggest that the business of cybercrime in this vertical industry is good and growing. Given the increasing threat to the industry, breach costs ought to be evaluated in new Second Economy terms—in which lost trust can inflict as much damage upon individuals and organizations as lost funds.

In health care, gaining the upper hand in cybersecurity means rejecting conventional defense paradigms in favor of radical new thinking. Where health care organizations have relied on old playbooks, they must be newly unpredictable. Where they have hoarded information on attacks, exploits, and threats, the industry must become more collaborative. Where they have undervalued cyber defense overall, they must prioritize it.

In the Second Economy, trust is the prime casualty of cybercrime. In an industry in which the personal is paramount, the loss of trust could be catastrophic to its progress and prospects for success.

The post A “Second Economy” Prognosis for Health Care Cybersecurity appeared first on McAfee Blogs.